Snort mailing list archives

Whatever OS We Use

From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Mon, 18 Mar 2002 07:48:02 -0800

Whatever OS we use, Snort is the only pig I know that can fly through the
bandwidth, glide through the alerts on ACID, and stream binary captured data
at 100 miles an hour between two systems.

We have been using Snort since version 1.6 and the only limitations we have
encountered so far with Snort have been the limitations of our own
imagination.

So we use Snort for:

1. Real time alerting (in many probes and attacks, Snort provides us an
early enough warning to take action provided we are paying attention)

2. Near real time or after action analysis. Give me the data content on that
suspicious alert e-mail message that I just received.

3. Snort in the DMZ in front of two other Snort systems behind a firewall
that can be used as a firewall and internal Snort system rules verifier.
Shows us and allows us to test what our outer firewall is or is not
effectively blocking. Configure Snort alerts according to your inner and
outer firewall rules for testing and if you try to break into your own
systems.

4. Snort on a Laptop. A great tool for troubleshooting local and remote
customer network connectivity and firewall problems. Big bonus here Marty
not to take anything away from TCPDUMP or Ethereal which we also use. We are
able to quickly troubleshoot many customer connectivity problems with Snort
in a matter of minutes. They call you up, you get their address, and in
seconds after: snort -d -l log host xxx.xxx.xxx.xxx you are capturing their
traffic and detecting what is or is not happening. Saves allot of
troubleshooting time and money and makes many happy customers.

5. Snort logging all traffic for archive and analysis, two Snort sniffers
streaming the data to 2 NICs on a terabyte server with direct crossover
cables.

6. Snort discovery system. Learn that traffic. What is going on with these
high outbound or inbound ports. So we do a one trick pony system (1 or 2
rules). Maybe we should call it a one trick piggy system. Like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 4500: (msg:"High Port Inbound
Connect Attempt"; flags:S; tag:session,6,packets;)

This and more is all possible thanks to all of you and I mean it.

Brent Erickson

Current thread:

Whatever OS We Use Erickson Brent W KPWA (Mar 18)
- Re: Whatever OS We Use Frank Knobbe (Mar 19)
- <Possible follow-ups>
- Re: Whatever OS We Use Mike Shaw (Mar 18)
  - Re: Whatever OS We Use John Sage (Mar 18)